back to article Group policy for Unix

I was raised in the Red Hat world of Linux, starting with Red Hat 2, moving to Mandrake, and returning to Red Hat once more. Since then I have been using it through every iteration and have dabbled in Debian and Gentoo based distributions as well. Each camp has evangelical believers, but I tend to stick with Red Hat not because …


This topic is closed for new posts.
  1. Anonymous Coward

    I just want...

    to be able to manage Win clients via GPO from Samba servers. Easily. Tidlly.

    Is that too much to ask? <sob>

    Oh, and a WSUS-equiv'd be nice, too...

    1. Trevor_Pott Gold badge


      Manage Windows systems from Linux? Samba 4 GPOs. Sorted.

      Linux WSUS equivalent, well now...THAT is a whole other mess of articles entirely...

      1. sgb

        Samba 4

        ... isn't ready for production yet, last I read.

        Regarding Linux WSUS, the best I've managed is wsusoffline on a samba share, kicking it off from a logon script after patch tuesday. Users can still cancel/ignore it though.

        1. Trevor_Pott Gold badge

          "Ready for production" is a realtive term.

          I would be perfectly comfortable running a four or five PC network on Samba 4 as it sits now. I would not run a Ten PC network on it, or anything with mission critical requirements. But simply: it's stable so long as once you get it running, you leave it the hell alone.

          So it's a relative thing. if you are wanting "free GPO management" for a small network, it’s actually probably “good enough.” If you are trying to run anything much bigger than your home network or a “Ma & Pa” shop off of it, then I would have to point you elsewhere.

          Actually, for SMEs, Novell’s stuff is, I think, cheaper /seat than Microsoft’s, so might be the natural compromise point.

          1. Anonymous Coward

            "point you elsewhere"


      2. Anonymous Coward
        Anonymous Coward

        Samba 4?

        Did Hell freeze over and I missed it?

        It's not being exactly the speediest product to launch...

      3. Ia3in


        If you know of an open source WSUS equivalent that happens to have better scheduling I'd really like to see an article on it....

  2. Billy 8


    I manage quite a lot of disparate *nix systems using Puppet. . Free, open and very straight-forward. Works on OS-X too. It's more unix-ie than faffying about with Likewise/A.D etc, I find anyway. And a lot easier to debug ;-)

    1. Trevor_Pott Gold badge

      @Billy 8

      And it's great. If you happen to know a fair amount about Unix to begin with. Puppet isn't for a junior admin, or someone new to Unix. If you have a guy with a Windows network who must now suddenly support a series of Unix systems, puppet is dense and terrifying. If the admin responsible for the Unix boxen is fresh out of school, I'm not letting him anywhere NEAR the puppet server.

      For me, who has been using Unix in one form or another for at least two decades, Puppet is great. I can think of at least fifteen other sysadmins I have drinks with on a regular basis that would be openly weeping after trying to use it, because they are neither any good at scripting, nor do they really know that much about the underlying operating systems.

      Every time they try to use Linux, they are handed a different distro, which hides it's files in a different place and they end up confused. Puppet can help with some of that, but it still relies on the admins having a fair amount of knowledge to start off with.

      I look at puppet as a grown-up admin’s systems management tool. Great if you already know what you are doing, and are simply looking to save some time. Group Policy on the other hand is like IT training wheels. Eventually you have to take them off, but (most) people need them for a little while at least.

  3. JP19

    Nice article, but missing info...

    > Go try it, and see if any policies you care about are missing. I couldn’t find any.

    > stood up to every requirement I could impose on it.

    So what policies and requirements *did* you test then?

    1. Trevor_Pott Gold badge


      That information could take a couple articles on it's own. But, to be brief, basic settings such as time servers, logging policy, automount, password configs (like max/min age), configuring the look and feel of gnome and a terrifyingly large amount of cronjob manipulation.

  4. Daniel 19

    Why do you want something that makes it look like Windows?

    To me, Windows has always been needlessly complex. Why would you want Unix to be the same? The beauty of everything being a file, is that there is only one way to edit settings for everything. This makes version control very easy as you can just copy the old file and save it somewhere with a date. You need to roll back, no problem... To learn how to change settings all you need to know how to do is edit files and usually restart or HUP a service, with Windows you need to know how to change files, edit registry keys, run commands and sometimes I am pretty sure you can only do things by sitting at the machine itself. Then there is the registy hell. Find the key that controls what items are started when the system boots.. Oh. that is in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, that makes a lot of sense, I would have looked there. With Unix if I don't know where something is, I can usually do a find on the filesystem.

    All that is really needed is something that keeps the files the same on every system in an automated fashion. Something like Redhat Network/Spacewalk works well. Someone mentioned puppet. It isn't like Group Policy, but it can do so much more and it really is no different then just editing files from the local console, but now on a global level. The beauty of Unix is that the inner workings are simple (at the expense sometimes of the outer layer), last thing I want is some abstraction layer that I no longer understand.

    1. Anonymous Coward
      Anonymous Coward

      I agree, but...

      Indeed, I also think AD is powerful but too complex, and I also think Linux should try to offer similar funtionality with less complexity (Plan 9 did nice things in this field). The problem is...there's not such software. And the several GPO alternatives we have are not standarized across the Linux distros. And we need a standard, because often software needs to be modified to be GPO-able, and configuration files have different formats, etc. There's a lot of work to be done in this field, to be fair.

    2. frymaster

      the thing is...

      ...the registry isn't mean to be human-readable

      being able to find out about your OS by digging in files is cool, but for professionals, I'd rather they found out about it by digging in the documentation

  5. j scott
    Thumb Down

    OSX+GPO -- At What Cost?

    ADmitMac is $2,999 for 25 licenses!! For that price I can afford to send two PFYs around to the offices and manually configure the Mac's settings!

    1. Trevor_Pott Gold badge

      @J Scott

      Not to offend anyone, but I kind of figured if they were buying Macs, price wasn't something that mattered to them in the first place...

  6. s. pam Silver badge

    THere are other options out there

    We use Symantec's Control Compliance Suite Standards Manager which covers both standards (patches, OS levels, etc) and controls easily in an automated fashion. They cover all our platforms and we can simple run the tool to evaluation -> actions on the 8+ different platform versions (mult UNI* and Win*) so we can address variations between environments.

    Routinely we don't use the GUI for anything other than reporting as we have scripts that work easily with what they've got OOTB. Our management is now having us upgrade / add in their Policy Manager as we have to do more checks and controls for Audit on things like our credit card transactions with PCI, and some ISO controls that the company is controlled in. We've had a few hiccups over the years, but we've done well overall.......

  7. Justin 15

    Why is AD so critical?

    Wouldn't you be better using an industry standards compliant LDAP server and have everything hanging off it? AD, NIS, NIS+ etc should all get their feeds from it. Using AD as the central directory screams vendor lock-in using a propriety product.

This topic is closed for new posts.

Other stories you might like